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This report is confidential and is intended for use by the Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, 
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does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, 
however such loss or damage is caused. 


It is the responsibility solely of the ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 
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1 Executive Summary 


1.1 Background 
Our review considered the ICO's arrangements for monitoring and 
implementing recommendations from internal audit reviews. 


1.2 Scope 

We reviewed the assurances available to the Audit Committee that 
recommendations are being implemented in a timely manner, following up 
recommendations made in 2014-15. 


We focussed on the following risk: 


The ICO's arrangements for folowing up audit recommendations may not 
be adequate resulting in recommendations not being completed on 
time and to a satisfactory standard. Outstanding recommendations 
could leave the ICO exposed to risks that are deemed to be 
unacceptable resulting in a lack of comfort for the Audit Committee 
and senior management that the internal control framework is 
operating effectively. 


Further details on responsibilities, approach and scope are included in 
Appendix A. 
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1. Executive summary 


Detailed Findings 
Appendices 


1.3 Overall assessment 
We have made an overall assessment of our findings as: 


Overall assessment 


Activities and controls were operating with sufficient effectiveness to 
provide reasonable assurance that the related risk management 
objectives were achieved during the period under review. 


Refer to Appendix B for definitions of internal audit opinion and 
recommendation ratings. 


1.4 Controls identified 
During our review we confirmed that the following controls have 
continued to operate during 2015-16: 


The Senior Corporate Governance Manager maintains a log of outstanding 
audit recommendations, which is presented to the Audit Committee at 
each meeting for discussion and challenge. 

This log is available on the ICON system, to allow recommendation 
owners to view their outstanding recommendations, and they ate 
reminded individually when updates are needed. 

The log shows the due date for implementation of recommendations, as 
well as a forecast due date if this is expected to be different. An 
accompanying explanation is provided for any re-forecast due dates. 

Implemented recommendations ate recorded separately from ongoing 
recommendations to allow the Audit Committee to focus clearly on 
those which remain outstanding, but implemented recommendations 
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do remain on the Register until the end of the financial year to which 
they relate. 

The log also separately records external audit recommendations to 
differentiate clearly from those raised by internal audit. 

A performance update is provided with the outstanding recommendations 
log to each Audit Committee meeting, giving oversight of the number 
of overdue recommendations. 

We followed up on all six recommendations recorded as being cleared on 
the March 2016 log reported to the Audit Committee. We confirmed 
that each had been appropriately addressed as reported. 


1.5 Summary of recommendations 

We reviewed the recommendations log and established that there were 18 
recommendations in total, of which 6 had been completed. 
Recommendations which were completed were tested to ensure they had 
been implemented and evidence in place to support the change required. 
The following table summarises the recommendations at the time of 
review: 


a High n 2A 
Outstanding - 5 6 1 12 
Cleared - 2 3 1 6 
Totals - 7 9 2 18 


We noted that 2 of the 18 recommendations had revised dates. 


1.6 Acknowledgement 
We would like to take this opportunity to thank the staff involved in for 
their co-operation during this internal audit. 
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Internal audit approach 


Approach 

Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). 


Our internal audit approach is based upon the underlying principles of the 
UK Corporate Governance Code (2010) together with the associated 
Turnbull Committee guidelines on internal control (2005) that require 
management to identify, assess and manage the risks that are significant to 
the achievement of the organisation’s overall business objectives. We will 
also have regard to the HM Treasury Management of Risk Guidance 
(2001). Our role as internal auditor is to provide objective and independent 
assurance to the Audit Committee and management that it is doing so 
successfully for each of the areas being audited. 


As part of our 2015-16 Audit Plan, we agreed with the Audit Committee 
and management that we should carry out a review of the [CO's 
arrangements for managing its follow up of audit recommendations to 
further inform our ongoing understanding of the ICO’s key internal 
control activities. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 
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Scope 
Our review focused on the following risk: 


The ICO's arrangements for following up audit recommendations may not 
be adequate resulting in recommendations not being completed on 
time and to a satisfactory standard, with the ICO remaining exposed to 
risks that are deemed to be unacceptable resulting in a lack of comfort 
for the Audit Committee and senior management that the internal 
control framework is operating effectively. 


Additional information 
Client staff 
The following staff were consulted as part of this review: 


Peter Bloomfield — Senior Corporate Governance Manager 
Paul Arnold — Head of Customer and Business Services 
Mike Collins — Head of Organisational Development 


Documents received 

The following documents were received during the course of this audit: 

Audit Committee minutes and accompanying reports on outstanding audit 
recommendations 

Evidence to support the sample of recommendations reported to the 
Audit Committee as implemented 

Progress of audit findings provided by Senior Corporate Governance 
Manager 
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Appendices 


Definition of internal audit opinion and ratings 


Audit issue rating 
Within each report, every audit issue is given a rating. The ratings are summarised in the table below. 


Rating Description Features 
Findings that are fundamental to the management of e _ Key control not designed or operating effectively 
risk in the business area, representing a weakness e Potential for fraud identified 
in control that requires the immediate attention of e Non compliance with key procedures / standards 
management e Non compliance with regulation 
e Impact is contained within the department and compensating controls would detect errors 
Important findings that are to be resolved by line e Possibility for fraud exists 
management. e Control failures identified but not in key controls 
e Non compliance with procedures / standards (but not resulting in key control failure) 
Findings that identify non-compliance with e _ Minor control weakness 
established procedures. e Minor non compliance with procedures / standards 
Items requiring no action but which may be of e Information for department management 
interest to management or best practice advice e Control operating but not necessarily in accordance with best practice 
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